Threat actors used the EtherHiding technique to store ClearFake malware payloads inside BNB Smart Chain testnet smart contracts, creating takedown-resistant command-and-control infrastructure. Four smart contracts shared a single deployer wallet, with the campaign running for nearly a year. The attack chain used a compromised WordPress watering hole, sandbox evasion checks, OS-specific ClickFix social engineering overlays, and delivered two simultaneous stealers — SectopRAT (a .NET RAT) and ACRStealer (a C++ infostealer). A fourth smart contract served as an on-chain execution tracker, confirming each victim compromise in real time. Because blockchain data is immutable and decentralized, no security vendor or law enforcement can remove the payloads. Defenders are advised to block BSC testnet RPC traffic, disable WebClient where unneeded, restrict clipboard write access in browsers, and train users on fake CAPTCHA lures.
Sort: